M1048 Application Isolation and Sandboxing
Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact. This mitigation can be implemented through the following measures:
Browser Sandboxing:
- Use Case: Implement browser sandboxing to isolate untrusted web content and prevent malicious web pages or scripts from accessing sensitive system resources or initiating unauthorized downloads.
- Implementation: Use browsers with built-in sandboxing features (e.g., Google Chrome, Microsoft Edge) or deploy enhanced browser security frameworks that limit the execution scope of active content. Consider controls that monitor or restrict script-based file generation and downloads commonly abused in evasion techniques like HTML smuggling.
Application Virtualization:
- Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system.
- Implementation: Use application virtualization platforms to run applications in isolated environments.
Email Attachment Sandboxing:
- Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users.
- Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments.
Endpoint Sandboxing:
- Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity.
- Implementation: Use endpoint protection tools for sandboxing at the endpoint level.
| Item | Value |
|---|---|
| ID | M1048 |
| Version | 1.3 |
| Created | 11 June 2019 |
| Last Modified | 09 May 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1189 | Drive-by Compromise | Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.23 |
| enterprise | T1611 | Escape to Host | Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.1 |
| enterprise | T1190 | Exploit Public-Facing Application | Application isolation will limit what other processes and system features the exploited target can access. |
| enterprise | T1203 | Exploitation for Client Execution | Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. 2 3 |
| enterprise | T1212 | Exploitation for Credential Access | Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.3 |
| enterprise | T1211 | Exploitation for Defense Evasion | Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. 3 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. 3 |
| enterprise | T1210 | Exploitation of Remote Services | Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. 3 |
| enterprise | T1559 | Inter-Process Communication | Ensure all COM alerts and Protected View are enabled.4 |
| enterprise | T1559.001 | Component Object Model | Ensure all COM alerts and Protected View are enabled.4 |
| enterprise | T1559.002 | Dynamic Data Exchange | Ensure Protected View is enabled.4 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.006 | HTML Smuggling | Use Browser Extensions or Built-in Security Tools that: |
| enterprise | T1027.017 | SVG Smuggling | Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.003 | Distributed Component Object Model | Ensure all COM alerts and Protected View are enabled.4 |
References
-
National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. ↩
-
Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018. ↩↩
-
Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018. ↩↩↩↩↩↩
-
Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017. ↩↩↩↩